https://pdfium-review.googlesource.com/2355
https://crbug.com/681300
https://pdfium.googlesource.com/pdfium/+/master/libtiff/

Author: Nicolas Pena <npm@chromium.org>
Date:   Wed Jan 25 10:41:06 2017 -0500

Prevent skew overflows in gtTileContig

Using int64 to check whether uint32 operations have overflowed.

--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
  */
 #include "tiffiop.h"
 #include <stdio.h>
+#include <limits.h>
 
 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
     uint32 tw, th;
     unsigned char* buf;
     int32 fromskew, toskew;
+    int64 safeskew;
     uint32 nrow;
     int ret = 1, flip;
     uint32 this_tw, tocol;
@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
     flip = setorientation(img);
     if (flip & FLIP_VERTICALLY) {
 	    y = h - 1;
-	    toskew = -(int32)(tw + w);
+	    safeskew = 0;
+	    safeskew -= tw;
+	    safeskew -= w;
     }
     else {
 	    y = 0;
-	    toskew = -(int32)(tw - w);
+	    safeskew = 0;
+	    safeskew -= tw;
+	    safeskew +=w;
     }
      
+    if(safeskew > INT_MAX || safeskew < INT_MIN){
+       _TIFFfree(buf);
+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+       return (0);
+    }
+    toskew = safeskew;
+
     /*
      *	Leftmost tile is clipped on left side if col_offset > 0.
      */
     leftmost_fromskew = img->col_offset % tw;
     leftmost_tw = tw - leftmost_fromskew;
-    leftmost_toskew = toskew + leftmost_fromskew;
+    safeskew = toskew;
+    safeskew += leftmost_fromskew;
+    if(safeskew > INT_MAX || safeskew < INT_MIN){
+       _TIFFfree(buf);
+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+       return (0);
+    }
+    leftmost_toskew = safeskew;
     for (row = 0; row < h; row += nrow)
     {
         rowstoread = th - (row + img->row_offset) % th;
@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
 		/*
 		 * Rightmost tile is clipped on right side.
 		 */
-		fromskew = tw - (w - tocol);
+		safeskew = tw;
+		safeskew -= w;
+		safeskew += tocol;
+		if(safeskew > INT_MAX || safeskew < INT_MIN){
+		        _TIFFfree(buf);
+		        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+		        return (0);
+		}
+		fromskew = safeskew;
 		this_tw = tw - fromskew;
-		this_toskew = toskew + fromskew;
+		safeskew = toskew;
+		safeskew += fromskew;
+		if(safeskew > INT_MAX || safeskew < INT_MIN){
+		        _TIFFfree(buf);
+		        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+		        return (0);
+		}
+		this_toskew = safeskew;
 	    }
 	    (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
 	    tocol += this_tw;
